Dnscmd

A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network.

The ageallrecords command is for backward compatibility between the current version of DNS and previous releases of DNS in which aging and scavenging were not supported. It adds a time stamp with the current time to resource records that do not have a time stamp, and it sets the current time on resource records that do have a time stamp.

Record scavenging does not occur unless the records are time stamped. Name server (NS) resource records, start of authority (SOA) resource records, and Windows Internet Name Service (WINS) resource records are not included in the scavenging process, and they are not time stamped even when the ageallrecords command runs.

This command fails unless scavenging is enabled for the DNS server and the zone. For information about how to enable scavenging for the zone, see the aging parameter under “Zone-Level Syntax” in the dnscmd /config command.

The addition of a time stamp to DNS resource records makes them incompatible with DNS servers that run on operating systems other than Windows 2000, Windows XP, or Windows Server 2003. A time stamp that you add by using the ageallrecords command cannot be reversed.

If none of the optional parameters are specified, the command returns all resource records at the specified node. If a value is specified for at least one of the optional parameters, dnscmd enumerates only the resource records that correspond to the value or values that are specified in the optional parameter or parameters.

Changes values in the registry for the DNS server and individual zones. Accepts server-level settings and zone-level settings.

Caution

Do not edit the registry directly unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can degrade performance, damage your system, or even require you to reinstall Windows. You can safely alter most registry settings by using the programs in Control Panel or Microsoft Management Console (MMC). If you must edit the registry directly, back it up first. Read the Registry Editor Help for more information.

Specifies the DNS server that you are planning to manage, represented by local computer syntax, IP address, FQDN, or host name. If this parameter is omitted, the local server is used.

<Parameter>

Specify a setting and, as an option, a value. Parameter values use this syntax: Parameter [Value]

The following parameter values are described in the remainder of this section:

/addressanswerlimit

/bindsecondaries

/bootmethod

/defaultagingstate

/defaultnorefreshinterval

/defaultrefreshinterval

/disableautoreversezones

/disablensrecordsautocreation

/dspollinginterval

/dstombstoneinterval

/ednscachetimeout

/enablednsprobes

/enablednssec

/enableglobalnamessupport

/enableglobalqueryblocklist

/eventloglevel

/forwarddelegations

/forwardingtimeout

/globalnamesqueryorder

/globalqueryblocklist

/isslave

/localnetpriority

/logfilemaxsize

/logfilepath

/logipfilterlist

/loglevel

/maxcachesize

/maxcachettl

/namecheckflag

/notcp

/norecursion

/recursionretry

/recursiontimeout

/roundrobin

/rpcprotocol

/scavenginginterval

/secureresponses

/sendport

/strictfileparsing

/updateoptions

/writeauthorityns

/xfrconnecttimeout

/addressanswerlimit [0|5-28]

Specifies the maximum number of host records that a DNS server can send in response to a query. The value can be zero (0), or it can be in the range of 5 through 28 records. The default value is zero (0).

/bindsecondaries[0|1]

Changes the format of the zone transfer so that it can achieve maximum compression and efficiency. However, this format is not compatible with earlier versions of Berkeley Internet Name Domain (BIND).

0

Uses maximum compression. This format is compatible with BIND versions 4.9.4 and later only.

1

Sends only one resource record per message to non-Microsoft DNS servers. This format is compatible with BIND versions earlier than 4.9.4. This is the default setting.

/bootmethod[0|1|2|3]

Determines the source from which the DNS server gets its configuration information.

0

Clears the source of configuration information.

1

Loads from the BIND file that is located in the DNS directory, which is %systemroot%\System32\DNS by default.

2

Loads from the registry.

3

Loads from AD DS and the registry. This is the default setting.

/defaultagingstate[0|1]

Determines whether the DNS scavenging feature is enabled by default on newly created zones.

0

Disables scavenging. This is the default setting.

1

Enables scavenging.

/defaultnorefreshinterval[0x1-0xFFFFFFFF|0xA8]

Sets a period of time in which no refreshes are accepted for dynamically updated records. Zones on the server inherit this value automatically. To change the default value, type a value in the range of 0x1-0xFFFFFFFF. The default value from the server is 0xA8.

/defaultrefreshinterval [0x1-0xFFFFFFFF|0xA8]

Sets a period of time that is allowed for dynamic updates to DNS records. Zones on the server inherit this value automatically. To change the default value, type a value in the range of 0x1-0xFFFFFFFF. The default value from the server is 0xA8.

Does not automatically create name server (NS) resource records for zones that the DNS server hosts.

/dspollinginterval 0-30

Specifies how often the DNS server polls AD DS for changes in Active Directory–integrated zones.

/dstombstoneinterval [1-30]

The amount of time in seconds to retain deleted records in AD DS.

/ednscachetimeout [<seconds>]

Specifies the number of seconds that Extended DNS (EDNS) information is cached. The minimum value is 3600, and the maximum value is 15,724,800. The default value is 604,800 seconds (one week).

/enableednsprobes {0|1}

Enables or disables the server to probe other servers to determine if they support EDNS.

0

Disables active support for EDNS probes.

1

Enables active support for EDNS probes.

/enablednssec {0|1}

Enables or disables support for DNS Security Extensions (DNSSEC).

0

Disables DNSSEC.

1

Enables DNSSEC.

/enableglobalnamessupport {0|1}

Enables or disables support for the GlobalNames zone. The GlobalNames zone supports resolution of single-label DNS names across a forest.

0

Disables support for the GlobalNames zone. When you set the value of this command to 0, the DNS Server service does not resolve single-label names in the GlobalNames zone.

1

Enables support for the GlobalNames zone. When you set the value of this command to 1, the DNS Server service resolves single-label names in the GlobalNames zone.

/enableglobalqueryblocklist {0|1}

Enables or disables support for the global query block list that blocks name resolution for names in the list. The DNS Server service creates and enables the global query block list by default when the service starts the first time. To view the current global query block list, use the dnscmd /info /globalqueryblocklist command.

0

Disables support for the global query block list. When you set the value of this command to 0, the DNS Server service responds to queries for names in the block list.

1

Enables support for the global query block list. When you set the value of this command to 1, the DNS Server service does not respond to queries for names in the block list.

/eventloglevel [0|1|2|4]

Determines which events are logged in the DNS server log in Event Viewer.

0

Logs no events.

1

Logs only errors.

2

Logs only errors and warnings.

4

Logs errors, warnings, and informational events. This is the default setting.

/forwarddelegations [0|1]

Determines how the DNS server handles a query for a delegated subzone. These queries can be sent either to the subzone that is referred to in the query or to the list of forwarders that is named for the DNS server. Entries in the setting are used only when forwarding is enabled.

0

Automatically sends queries that refer to delegated subzones to the appropriate subzone. This is the default setting.

1

Forwards queries that refer to the delegated subzone to the existing forwarders.

/forwardingtimeout [<seconds>]

Determines how many seconds (0x1-0xFFFFFFFF) a DNS server waits for a forwarder to respond before trying another forwarder. The default value is 0x5, which is 5 seconds.

/globalneamesqueryorder {0|1}

Specifies whether the DNS Server service looks first in the GlobalNames zone or local zones when it resolves names.

0

The DNS Server service attempts to resolve names by querying the GlobalNames zone before it queries the zones for which it is authoritative.

1

The DNS Server service attempts to resolve names by querying the zones for which it is authoritative before it queries the GlobalNames zone.

/globalqueryblocklist[[<name> [<name>]...]

Replaces the current global query block list with a list of the names that you specify. If you do not specify any names, this command clears the block list. By default, the global query block list contains the following items:

isatap

wpad

The DNS Server service can remove either or both of these names when it starts the first time, if it finds these names in an existing zone.

/isslave [0|1]

Determines how the DNS server responds when queries that it forwards receive no response.

0

Specifies that the DNS server is not a subordinate (also known as a slave). If the forwarder does not respond, the DNS server attempts to resolve the query itself. This is the default setting.

1

Specifies that the DNS server is a subordinate. If the forwarder does not respond, the DNS server terminates the search and sends a failure message to the resolver.

/localnetpriority [0|1]

Determines the order in which host records are returned when the DNS server has multiple host records for the same name.

0

Returns the records in the order in which they are listed in the DNS database.

1

Returns the records that have similar IP network addresses first. This is the default setting.

/logfilemaxsize [<size>]

Specifies the maximum size in bytes (0x10000-0xFFFFFFFF) of the Dns.log file. When the file reaches its maximum size, DNS overwrites the oldest events. The default size is 0x400000, which is 4 megabytes (MB).

/logfilepath [<Path+LogFileName>]

Specifies the path of the Dns.log file. The default path is %systemroot%\System32\Dns\Dns.log. You can specify a different path by using the format Path+LogFileName.

/logipfilterlist <IPAddress> [,<IPAddress>...]

Specifies which packets are logged in the debug log file. The entries are a list of IP addresses. Only packets going to and from the IP addresses in the list are logged.

/loglevel [<EventType>]

Determines which types of events are recorded in the Dns.log file. Each event type is represented by a hexadecimal number. If you want more than one event in the log, use hexadecimal addition to add the values, and then enter the sum.

0x0

The DNS server does not create a log. This is the default entry.

0x10

Logs queries.

0x10

Logs notifications.

0x20

Logs updates.

0xFE

Logs nonquery transactions.

0x100

Logs question transactions.

0x200

Logs answers.

0x1000

Logs send packets.

0x2000

Logs receive packets.

0x4000

Logs User Datagram Protocol (UDP) packets.

0x8000

Logs Transmission Control Protocol (TCP) packets.

0xFFFF

Logs all packets.

0x10000

Logs Active Directory write transactions.

0x20000

Logs Active Directory update transactions.

0x1000000

Logs full packets.

0x80000000

Logs write-through transactions.

/maxcachesize

Specifies the maximum size, in kilobytes (KB), of the DNS server’s memory cache.

/maxcachettl [<seconds>]

Determines how many seconds (0x0-0xFFFFFFFF) a record is saved in the cache. If the 0x0 setting is used, the DNS server does not cache records. The default setting is 0x15180 (86,400 seconds or 1 day).

/maxnegativecachettl [<seconds>]

Specifies how many seconds (0x1-0xFFFFFFFF) an entry that records a negative answer to a query remains stored in the DNS cache. The default setting is 0x384 (900 seconds).

The DNS server performs recursive name resolution if it is requested in a query. This is the default setting.

1

The DNS server does not perform recursive name resolution.

/notcp

This parameter is obsolete, and it has no effect in current versions of Windows Server.

/recursionretry [<seconds>]

Determines the number of seconds (0x1-0xFFFFFFFF) that a DNS server waits before again trying to contact a remote server. The default setting is 0x3 (three seconds). This value should be increased when recursion occurs over a slow wide area network (WAN) link.

/recursiontimeout [<seconds>]

Determines the number of seconds (0x1-0xFFFFFFFF) that a DNS server waits before discontinuing attempts to contact a remote server. The settings range from 0x1 through 0xFFFFFFFF. The default setting is 0xF (15 seconds). This value should be increased when recursion occurs over a slow WAN link.

/roundrobin [0|1]

Determines the order in which host records are returned when a server has multiple host records for the same name.

0

The DNS server does not use round robin. Instead, it returns the first record to every query.

1

The DNS server rotates among the records that it returns from the top to the bottom of the list of matching records. This is the default setting.

/rpcprotocol [0x0|0x1|0x2|0x4|0xFFFFFFFF]

Specifies the protocol that remote procedure call (RPC) uses when it makes a connection from the DNS server.

0x0

Disables RPC for DNS.

0x1

Uses TCP/IP.

0x2

Uses named pipes.

0x4

Uses local procedure call (LPC).

0xFFFFFFFF

All protocols. This is the default setting.

/scavenginginterval [<hours>]

Determines whether the scavenging feature for the DNS server is enabled, and sets the number of hours (0x0-0xFFFFFFFF) between scavenging cycles. The default setting is 0x0, which disables scavenging for the DNS server. A setting greater than 0x0 enables scavenging for the server and sets the number of hours between scavenging cycles.

/secureresponses [0|1]

Determines whether DNS filters records that are saved in a cache.

0

Saves all responses to name queries to a cache. This is the default setting.

1

Saves only the records that belong to the same DNS subtree to a cache.

/sendport [<port>]

Specifies the port number (0x0-0xFFFFFFFF) that DNS uses to send recursive queries to other DNS servers. The default setting is 0x0, which means that the port number is selected randomly.

/serverlevelplugindll[<DllPath>]

Specifies the path of a custom plug-in. When DllPath specifies the fully qualified path name of a valid DNS server plug-in, the DNS server calls functions in the plug-in to resolve name queries that are outside the scope of all locally hosted zones. If a queried name is out of the scope of the plug-in, the DNS server performs name resolution using forwarding or recursion, as configured. If DllPath is not specified, the DNS server ceases to use a custom plug-in if a custom plug-in was previously configured.

/strictfileparsing [0|1]

Determines a DNS server's behavior when it encounters an erroneous record while loading a zone.

0

The DNS server continues to load the zone even if the server encounters an erroneous record. The error is recorded in the DNS log. This is the default setting.

1

The DNS server stops loading the zone, and it records the error in the DNS log.

/updateoptions <RecordValue>

Prohibits dynamic updates of specified types of records. If you want more than one record type to be prohibited in the log, use hexadecimal addition to add the values, and then enter the sum.

Determines when the DNS server writes name server (NS) resource records in the Authority section of a response.

0

Writes name server (NS) resource records in the Authority section of referrals only. This setting complies with RFC 1034, “Domain names—concepts and facilities,” and with RFC 2181, “Clarifications to the DNS Specification.” This is the default setting.

1

Writes name server (NS) resource records in the Authority section of all successful authoritative responses.

/xfrconnecttimeout [<seconds>]

Determines the number of seconds (0x0-0xFFFFFFFF) a primary DNS server waits for a transfer response from its secondary server. The default value is 0x1E (30 seconds). After the time-out value expires, the connection is terminated.

Specify a setting, a zone name, and, as an option, a value. Parameter values use this syntax: ZoneName Parameter [Value]

The following parameter values are documented in the remainder of this section:

/aging

/allownsrecordsautocreation

/allowupdate

/forwarderslave

/forwardertimeout

/norefreshinterval

/refreshinterval

/securesecondaries

/aging <ZoneName>

Enables or disables scavenging in a specific zone.

/allownsrecordsautocreation <ZoneName> [<Value>]

Overrides the DNS server's name server (NS) resource record autocreation setting. Name server (NS) resource records that were previously registered for this zone are not affected. Therefore, you must remove them manually if you do not want them.

/allowupdate <ZoneName>

Determines whether the specified zone accepts dynamic updates.

/forwarderslave <ZoneName>

Overrides the DNS server /isslave setting.

/forwardertimeout <ZoneName>

Determines how many seconds a DNS zone waits for a forwarder to respond before trying another forwarder. This value overrides the value that is set at the server level.

/norefreshinterval <ZoneName>

Sets a time interval for a zone during which no refreshes can dynamically update DNS records in a specified zone.

/refreshinterval <ZoneName>

Sets a time interval for a zone during which refreshes can dynamically update DNS records in a specified zone.

/securesecondaries <ZoneName>

Determines which secondary servers can receive zone updates from the master server for this zone.

Creates a DNS application directory partition. When DNS is installed, an application directory partition for the service is created at the forest and domain levels. Use this command to create DNS application directory partitions that were deleted or never created. With no parameter, this command creates a built-in DNS directory partition for the domain.

Creates a DNS application directory partition. When DNS is installed, an application directory partition for the service is created at the forest and domain levels. This operation creates additional DNS application directory partitions.

The enumzones parameters act as filters on the list of zones. If no filters are specified, a complete list of zones is returned. When a filter is specified, only the zones that meet that filter's criteria are included in the returned list of zones.

This command displays registry settings that are at the DNS server level. To display zone-level registry settings, use the dnscmd /zoneinfo command. To see a list of settings that can be displayed with this command, see the dnscmd /config description.

By default, a DNS server performs iterative queries when it cannot resolve a query.

Setting IP addresses by using the resetforwarders command causes the DNS server to perform recursive queries to the DNS servers at the specified IP addresses. If the forwarders do not resolve the query, the DNS server can then perform its own iterative queries.

If the /slave parameter is used, the DNS server does not perform its own iterative queries. This means that the DNS server forwards unresolved queries only to the DNS servers in the list, and it does not attempt iterative queries if the forwarders do not resolve them. It is more efficient to set one IP address as a forwarder for a DNS server. You can use the resetforwarders command for internal servers in a network to forward their unresolved queries to one DNS server that has an external connection.

Listing a forwarder’s IP address twice causes the DNS server to attempt to forward to that server twice.

The writebackfiles command updates all dirty zones or a specified zone. A zone is “dirty” when there are changes in memory that have not yet been written to persistent storage. This is a server-level operation that checks all zones. You can specify one zone in this operation or you can use the dnscmd /zonewriteback operation.

The zoneexport operation creates a file of resource records for an Active Directory–integrated zone for troubleshooting purposes. By default, the file that this command creates is placed in the DNS directory, which is by default the %systemroot%/System32/Dns directory.

The zonerefresh command forces a check of the version number in the master server’s start of authority (SOA) resource record. If the version number on the master server is higher than the secondary server's version number, a zone transfer is initiated that updates the secondary server. If the version number is the same, no zone transfer occurs.

The forced check occurs by default every 15 minutes. To change the default, use the dnscmd config refreshinterval command.